October 27, 2003
Battle with ipf
Over the past few months we've been fighting a battle with ipf (ip filter) on our production boxes. Every now and again ipf blocks packets which clearly have a rule to pass in the config file. Very confusing, and hard to pinpoint because we can't be fiddling with the firewall and turning on/off access to the machines when users are on the system.
I did some poking around on google and found some interesting information about ipf's state feature, which we use heavily. The idea behind "state" is that the first packet gets checked against the rules, and stuck in a state hash, which is checked on all packets. If you've created a state entry then the remaining packets in a request go through quickly because they get looked up in the state table.
Apparently there is a limit to the number of state entries, once you reach that limit state isn't kept and packets get refused (if there isn't an explicit rule to allow them through).
The current theory is that we might be exceeding the state limit, but in order to determine that we've got to bring ipf up, potentially blocking traffic. Must wait for an "off peak hour" to try it.
Posted by mike at October 27, 2003 4:29 PM